This policy explains what data Nearby collects, how it uses that data, and your rights over it. It applies to the Nearby app installed on a Shopify store and to the data the app processes on behalf of that store.
Who runs Nearby
Nearby is operated by Harbour Labs Digital Ltd (“Harbour Labs”, “we”, “us”), registered in England & Wales under company number 17200663. Where this policy refers to personal data, Harbour Labs is the data controller for our own business records and the data processor for data processed on behalf of a merchant's store (with the merchant as the controller).
If you have any questions about this policy, email nearby@harbourlabs.app.
What Nearby reads from Shopify
Nearby requests read-only access scopes and never writes to your store:
read_products— product and variant details, to match the widget to the right itemread_inventory— stock levels per location, so the widget is accurateread_locations— your locations and their addresses, for the mapread_orders— used only to attribute verified in-store revenue for ROI analytics on the Growth plan
What Nearby stores
When you install Nearby on your Shopify store, we receive and store:
- Your shop's
myshopify.comdomain - The OAuth access token that lets the app read your store's data (encrypted at rest)
- A synced copy of your products, locations, and inventory levels, so the widget is fast and accurate
- Your settings: widget and map style, appearance, opening hours, pickup details, and stock thresholds
- If you add one, your Google Maps API key — encrypted at rest
- Aggregate analytics events: widget views and clicks, and order-derived ROI on the Growth plan
Shopper data on the storefront
The product-page widget sorts your locations by distance from the shopper. To do that it uses the shopper's approximate location, or a place they type into the locator, at the time they use it. Requests from the storefront run through Shopify's App Proxy, so they are same-origin with your shop, signed, and rate-limited. Nearby does not build profiles of individual shoppers and does not sell data.
How Nearby uses the data
- To show in-stock locations. The synced inventory and locations power the product-page widget so shoppers see the nearest location that has the item.
- To place stores on a map. Store addresses are geocoded to coordinates, and the map is rendered with tiles from our map provider.
- To show what's working. On Growth, aggregate analytics show widget intent, out-of-stock demand, and verified in-store ROI derived from your Shopify orders.
- To keep itself in sync. Shopify webhooks for inventory, products, locations, and orders keep the synced data current.
Sub-processors
Nearby runs on these third-party services, each of which processes some of the data above on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Shopify | App platform, OAuth, billing | Global |
| Railway | App hosting and Postgres database | US |
| MapTiler | Map tiles and styles | EU / CDN |
| OpenRouteService | Drive-time routes (Growth) | EU |
| Geocoding of store addresses, and Google Maps rendering when you enable it (Growth) | Global |
Each provider has their own privacy notice and processes data on our instructions only. Google Maps is only used when a merchant enables it and supplies a key; otherwise the map is rendered with MapTiler.
Retention
| Data | Retention |
|---|---|
| Merchant OAuth token | Until the app is uninstalled |
| Synced products, locations & inventory | Until the app is uninstalled |
| Merchant settings | Until the app is uninstalled |
| Aggregate analytics events | Until the app is uninstalled |
When you uninstall Nearby, we receive Shopify's app/uninstalled webhook and delete the data for your shop.
Your rights (UK GDPR / EU GDPR)
If you are based in the UK or EU, you have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Have your data erased
- Restrict or object to processing
- Data portability
To exercise any of these rights, email nearby@harbourlabs.app. We respond within 30 days.
How data requests are handled
Nearby implements Shopify's three mandatory data-protection webhooks:
customers/data_request: when a merchant's customer requests a copy of their data, Shopify forwards the request to us and we respond with any data Nearby holds about them.customers/redact: when a customer requests deletion, Shopify forwards the request to us and we delete any matching data.shop/redact: 48 hours after the app is uninstalled, Shopify forwards a final delete request and we erase any residual data.
International transfers
Data may be transferred outside the UK and EU — primarily because the app and its database are hosted in the US. Where this happens, the transfer is covered by the Standard Contractual Clauses or an equivalent safeguard.
Security
We use standard practices: HTTPS in transit, encryption at rest for the OAuth token and any stored map key, and least-privilege access for any human operator.
Changes to this policy
If we make material changes, we will update the “Last updated” date below and notify you via the in-app dashboard. Continued use of Nearby after the update means you accept the revised policy.